Google extends security rewards program to cover its own Chrome apps

Google is broadening its bug bounty program for security researchers to encompass all Chrome apps and extensions made by company. It’s also upping payments for its Patch Rewards Program, focused on improvements for open-source code. The company pays independent researchers for finding problems such as cross-site scripting flaws, SQL injection or authentication problems under its Vulnerability Reward Program, which started in November 2010.

Google has long run a rewards program for security researchers who find vulnerabilities in its software. Today, the company is extending this program to also cover its Chrome apps and extensions. These include extensions for Hangouts, Screen Capture, Google Translate, PageSpeed Insights and many others. The rewards for developers who find security vulnerabilities range from $500 to $10,000, depending on how grave the issue is. Most of Google’s other rewards programs top out at $20,000. In the announcement, Google Security Team members Eduardo Vela Nava and Michal Zalewski point out that they believe “developing Chrome extensions securely is relatively easy,” but because many of these apps are also very widely used, “we want to make sure efforts to keep them secure are rewarded accordingly.”

Read full article